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3 + Ax + B be an elliptic curve defined over a finite field of 
characteristic p > 3. In this paper we prove that the coefficient at x 2 p ( p-1 ' in the p-th 
division polynomial ip p {x) of E equals the coefficient at x v ~^ in (x s + Ax + B) 2 . 
The first coefficient is zero if and only if the division polynomial has no roots, which is 
equivalent to E being supersingular. Deuring (1941) proved that this supersingularity is 
also equivalent to the vanishing of the second coefficient. So the zero loci of the coefficients 
(as functions of A and B) are equal; the main result in this paper is clearly stronger than 
this last statement. 



Introduction 

Let Fpfc be a finite field of characteristic p > 3 and let E/¥ p k be an elliptic curve given 
by a short Weierstrass equation E : y 2 = x 3 + Ax + B. Associated to E, one defines 
division polynomials ip m (for every positive integer m), whose properties we shall review 
in Section 1 . These polynomials can be used to check whether E is supersingular or not: 

Division polynomial criterion 

E is supersingular if and only if the coefficient at x^Kp- 1 ) j n ^ j s zero. 

For example, let E : y 2 = x 3 + Ax + B be an elliptic curve over F 5 fc . Then i(j 5 is equal to 
2Ax w + AA 2 Bx 5 + (4S 4 - 2A 3 B 2 + A e ). So E is supersingular if and only if A = 0. 
There is also a classical criterion, very similar (in wording) to the one above. 

Deuring criterion 

Let E : y 2 = f(x) be an elliptic curve over ¥ p k, where f(x) G ¥ p k [x] is a 
cubic polynomial with distinct roots in ¥ p k . Then E is supersingular if and 
only if the coefficient of x v ~ x in f(xY p ^ 1 ^ 2 is zero. 



For a proof of this criterion, one can consult Silverman flSilvl V.4.1]. We reconsider the 



above example: an elliptic curve E : y 2 = x 3 + Ax + B over F 5 fc is supersingular if and 



only if the coefficient at x 4 in (a; 3 + Ax + B) 2 is zero, i.e., if and only if 2A = 0. This 
is indeed the same criterion as the one we got using division polynomials. The striking 
similarity between the criteria actually has a deeper reason: not only do these coefficients 
at different monomials in different polynomials have the same zeros, they actually are 
equal, as we prove in Section 2. More precisely, we prove the following theorem: 
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Theorem. Consider the elliptic curve E : y 2 = x 3 + Ax + B over Q(A, B) (where A 
and B are transcendentals). Let p > 3 be prime and let £ P (A, B) be the coefficient at 
the p-th division polynomial of E. Let c p (A, B) be the coefficient at x p 1 in 
{x 3 + Ax + B)i ( - P ~ 1 \ Then £ p {A, B) = c p (A, B) (mod p). 

1. Division polynomials 

Let Fpfc be a finite field of characteristic p > 3, with p k elements. Let E/¥ p k be an 
elliptic curve with Weierstrass model 

E : y 2 + a\xy + a^y = x 3 + a 2 x 2 + a^x + a§. 

We denote the neutral element of the group law on E by O, and denote the multiplication- 
by-m isogeny by [m]. The division polynomials (ip m ) m >i associated to E are defined by 
recursion: 

tpi = 1 il>i = 2y + a\x + a 3 -03 = 3x 4 + b 2 x 3 + 3b±x 2 + 36 6 x + b s , 
Tp4 = ip 2 - (2x 6 + b 2 x 5 + 5b 4 x 4 + 10b 6 x 3 + I0b s x 2 + (b 2 b$ - b 4 b 6 )x + (b 4 b 8 - b%)) , 
and 

02m+l = 1p m +2l/4n ~ V'm-lV'm+l) 

Recall that the 6-quantities used in ^3 and ^4 are polynomials in the a-quantities: b 2 = 
a\ + 4a 2 , &4 = 2ci4 + 0103, be = a 2 + 4a,Q and 6§ = a 2 ae + 4:a 2 ae — a\a^a^ + a 2 a 2 — a 2 . 
Every ip m £ ¥ p k [x, y] can be written as a linear polynomial in y over ¥ p k [x] using the 
Weierstrass equation. As such, one can prove that if m is odd, then %p m € ¥ p k [x], and as a 

polynomial in x, ipm has degree at most | (m 2 — 1) and the coefficient at equal 
to m. In particular, since we assume p to be an odd prime, the polynomial tfj p € ¥ p k [x] has 
degree strictly smaller than \(j> 2 — 1). The proofs of these claims can be found in various 
places, e.g., | |Enge| 3.6]. We will also need the following standard facts: 

• The roots of ip m are precisely the nontrivial p-torsion points on E, i.e., the points 
P e E(¥ pk ) \ {£>} satisfying [p]P = O. 

• The polynomials tp^ and0 m = xtp^—ipm-itpm+i can be considered as elements 
of F p k [x] using the Weierstrass equation, and as such are relatively prime. 

• Denoting the Weierstrass x-coordinate function on E by x, the functions x o [to] 
and <p m ji\) 2 n on E are equal. 

We can deduce the following crucial result about the p-th division polynomial in charac- 
teristic p > 3. 

Proposition 1. Let E/¥ p k be an ordinary elliptic curve (p > 3 prime). Then ip p has 
degree ^p(p — 1) and lies in ¥ p k [x p j. 

Proof. Note that [p] is not separable and hence factors through the p-th power Frobenius 

$ : E -> E ip) : [X : Y : Z] ^ [X p : Y p : Z p ], 

where E^ is the elliptic curve defined by the Weierstrass equation with coefficients af. 
(Cf. HSilvl II. 2. 12]) It follows that x o [p] is a rational function of x p and y p . Since finite 
fields are perfect, this implies that x o [p] is the p-th power of a rational function in x and 
y. So the coefficients of the divisor of x o [p] are all divisible by p. Since x o [p] = <fi p /il> p 
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where <fr p and ip 2 are coprime, we find that the coefficients in 2div(-0 P ) are p-divisible. 
The zero set Z of ip P is equal to (ker[p])(F p fc ) \ {£>}, and ip p has only a pole at O, so 

di V (0 p ) = ^71 P (P)-7l(0), 

Pez 

where n = J^pez Up an< ^ eacn np — 1- By tne P 1 — divisibility of the coefficients, we get 
that p divides each 2np and therefore divides each np (pis odd). It follows that np > p 
and n > p ■ %Z = p(p — 1) because E is ordinary. The polynomial ip p £ F p t [ar] has degree 
< | (p 2 — 1) and hence has order at least 1 — p 2 in C In other words, — n > 1 — p 2 , which 
together with p | n implies that n < p(p — 1). We find that n = p(p — 1) and hence 

div(vg= ^2 P (p)- P (p-i)(o)=p( J2(p)-(p-i)(o)) ■ 

Pez \P£Z / 

The first implication is that the degree of ip p € ¥ p k [x] is equal to — ^oido(ip P ) = \p(jp — 
1). One also easily verifies that the sum of the points in Z is equal to O, so the divisor 
idiv(i/; p ) is principal. Therefore, ifj p is the p th power of a polynomial in F p fc[x], which 
(working in characteristic p) implies that ip p G ¥ p k [x p ] . □ 

Remark. An alternative to prove this proposition is to use the main theorem from OCassl . 
Cheon and Hahn IChHall prove the proposition for ordinary elliptic curves over the prime 
field F p . 

Example. Let E : y 2 = x 3 + Ax + B be an elliptic curve over F$k . Then -05 is equal to 
2Ax w + AA 2 Bx 5 + (AB 4 - 2A 3 B 2 + A 6 ). Note that -05 is indeed a function of a; 5 . Italso 
follows from the proposition that if E is ordinary, then 05 must have degree 5 • 4/2 = 10, 
so A ^ if E is ordinary. 

We can now derive the division polynomial criterion for supersingularity. Let E/¥ p k 
be an elliptic curve. Since the zeros of tfj p are precisely the nontrivial p-torsion points, E 
is supersingular if and only if tp p has no zeros, i.e., p is a constant polynomial. This is 
equivalent to all nonconstant coefficients of ip p being zero and this means we have 0(p 2 ) 
equations to be satisfied. (Indeed, p is odd, so ip p can be written as a polynomial in x of 
degree at most j(p 2 — 1).) But we know that if E is ordinary, then tp p has degree ip(p — 1). 
This implies that E is supersingular if and only if the coefficient at a^PO 5-1 ) in p is zero, 
which is the division polynomial criterion mentioned in the introduction. 

Example. Reconsider the previous example. Then 05 is constant if and only if 2A = 
AA 2 B = 0, which indeed is equivalent to 2A = 0. In other words: E is supersingular if 
and only if A = 0. Note that we went from 12 = (5 2 — l)/2 equations (in characteristic 
zero, or when we want to work over "L[A : B, x, y], we need all the nonconstant coefficients 
to be zero) to (5 — l)/2 = 2 equations (because 5 turned out to be a function of x 5 ), to 
just one equation. 
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2. Proof of the Theorem 

Let us first fix some notation. Let A and B be indeterminates and consider the sequence 
of polynomials in l\x, y, A, B] defined by 

^o = 

4>i = i 

V^2 = 2y 

ip 3 = 3a: 4 + 6 Ax 2 + YlBx - A 2 , 

tp4, = 2y (2x 6 + lOAx* + 40Bx 3 - 10A 2 x 2 - 8ABx - 2{A 3 + 8B 2 )) , 
the relation y 2 = x 3 + Ax + B, and the recursion formulas 

-02m+l = 1p m +2lpm ~ ipm-li^n+l, 

2yip2m = lpm-rlpmlpm+2 ~ ^m-a^mV^+l- 

One can easily prove that %p m 6 Z[x, A, B] if m is odd, so we write tp p (x, A, B) to de- 
note the p-th polynomial in this sequence. Now define £ p (A,B) to be the coefficient 
at xlbO- 1 ) in ip p (x,A,B) <G Z[x,A,B]. Define c p (A, B) as the coefficient at xP" 1 in 
(.t 3 + Ax + B) 2(p _1 ). For example, £5 (A, B) = 62 A (we are not yet reducing mod 5) 
and c p (A,B) = 2 A. 

Theorem. Let p > 3 be a prime number. Then c p (A, B) = £ P (A, B) (mod p). 

The remainder of this section consists of the proof of the theorem. To simplify notations, 
write p = 2q + 1 with q G Z. One can easily check the theorem for p = 3: both coefficients 
are zero. So suppose p > 5 from now on. 

2.1. Step 1: Cp(A, B) as a sum. First, we compute c p { A, B) by using Newton's trinomial 
identity: 

(x 3 +Ax + B) q = ( q ) x 3i+j A j B k , 

(i,j,k)es V' 3, ' 
where S — { (i, j, k) G I 3 \ i, j, k > 0, i + j + k = q} and 



i\j\k\ 
Hence, 

(i,j,fe)es v '■" 7 

where So = {(«,.?, fc) G S | 3i + j = p — 1 = 2g}. Let us determine So more explicitly. 
The triple k) is in So if and only if i = \{2q — j), k = q — i — j = |(g — 2j), and 
«, j, A; are non-negative integers. So 



S = j Q(2g - j), j, i(g - 2j)J I j = -g (mod 3), j G Z n 
We find that 

c p (A,S)=^f \ W^>, 

where J = { j G Z | j = — g (mod 3), < j < \q}. 
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2.2. Step 2: l p (A, B) as a sum. Write ip p (x, A, B) = J2 t Pt(A, B)x\ with /3 t {A, B) e 
Z[A,B}. Note that if we give x degree 1, A degree 2 and B degree 3, then y 2 = x 3 +Ax+B 
is homogeneous of degree 3, so giving y degree | is well-defined. Also, one can now 
prove by induction that tp m (x, y, A, B) is homogeneous of degree \{m 2 — 1). It follows 
that 0t (A, B) is a homogeneous polynomial of (weighted) degree | (p 2 — l)—t, and hence, 
it contains only monomials of the form A r B s with 2r + 3s = \{p 2 — 1) — t. Hence write 

pt{A,B)= ]T a r , s A r B s , 

2r+3s=i(p2_i)_ t 

with a r>s € Z. We know that ip p has leading coefficient p (as a polynomial in a;), so 
/3 P 2_ 1 = p and hence cto,o = P- Also, a TtS = if r < or s < 0. The following result 

2 

tells us how, for t close to \ {p 2 — 1), the coefficients in (3 t look like (modulo p 2 ). 
Lemma 1. For < 2r + 3s < q we have 

(d-l)(d-§) ( d -|)( rf -f) 2* 

«r,s € —f- y\ a r-l,s m H a r,s-l + V ^pZ, 

d(d+ 1 ) d(d+ 1 ) 
where 7L p % is the localization ofTLby1\ pi ( invert everything that is not divisible by p). 
Proof. By IMcKeel Eq. (3)] we know that, for d = 2r + 3s, 



p 2 + 5 \ / p 2 



2 

3(r + l)p a r +i, s -i - -(s + l)p 2 a r _ 2:S +i- 



Hence, 



(2.1) d (d+ ij a r , s = -(d-1) ^d- a r _i, s - fd- ^d - |j a- r>s _i +J5 2 «;, 

where w is an expression using |, | and a r / )S ' with 2?'' + 3s' < d. This yields a way 
to compute a r<s by induction on d. To do this, we need to invert d and 2d + 1. Now 
note that d = 2?' + 3s is given to be in the set {1, 2, . . . , q — 1}, so p can not divide d or 
2d + 1 < 2q + 1 = p. So using equation (12.1b . and the specific form of to, it follows by 
induction that a r , s G Z<pZ for < 2r + 3s < g (in other words: we don't need to invert p 
to compute these coefficients). Since a r>s = for 2r + 3s < 0, a r> o = ao. s = for r and 
s negative, and «o.o = P> we can even say that a,. :S e Z p z for 2r + 3s < 

Again, using equation d2.lt and now using the fact that a r > tS ' G Z p z for 2r' + 3s' < 
d < q, we get 

d+ M a r>s € -(d- 1) fd- a r _i jS - fd- f d - a r , s _i + p 2 Z pZ . 

Now use the fact that d (d + |) is not divisible by p to conclude the proof. □ 

As we noted in the proof, we can use the formula given in the preceding lemma to 
compute a r , s by induction. This is what we do in the next proposition, in which we solve 
the above recurrence mod p. This is the crux of the proof of the theorem. 
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Proposition 2.1fr and s are non-negative integers such that < 2r + 3s < q, then 



-lV r+s P ( 2r + 2s 



4 J 4r + 6s + 1 \r + s, r, s 



-p 2 1 P i- 



Proof. We will prove this by induction on d = 2r + 3s, using the formula from Lemma 
[T] All the equations below are modulo p 2 Z p z- (One should be careful not to divide by a 
multiple of p.) In Lemma[T] we see that a r . s (modulo p 2 Z p z) is determined by a r -i >s and 
a r , s -i, so the induction goes back to d! = 2(r — 1) + 3s = d—2 and d" = 27- + 3(s — 1) = 
d — 3. This means that we should have d > 3, r > 1 and s > 1 to use induction. 
So the first steps of the induction will have to compute ao,Oj Qtifi, a o,i 0- e -> a r,s with 
2r + 3s g {0, 1, 2, 3}), as well as a r .o and ao. s for all non-negative integers r, s. 

• We can check the small values to be true, using Lemma [TJ We find ao,o = P> 
aift = —jqP and a ,i = — nP' which is consistent with our formula. 

• By the recursion formula and a r ,-i = 0, we know that for < 2r < q, we have 

(2r- l)(4r-3) 
ar ~ 2r(4r + l) 

Using this repeatedly, we get 

l\ r [(2r - l)(2r - 3) • • • 1] • [(4r - 3)(4r - 7) • ■ • 1] 
r ) [r • (r - 1) • • • 1] • [i 
-l\ r (2r-l)(2r-3)---l 



1 2 y [r-(r-l)---l].[(4r + l)(4r-3)-.-5] ao '° 



2 / r!(4r + l) 

Using the fact that (2r)! = [1 • 3 • • • (2r - 1)] ■ 2 r ■ r\, we find that 
-lV (2r)! /-lV p ( 2r 



ar '° 1 2 J 2 r ■ (r!) 2 • (4r + 1) P V 4 7 4r 
which is consistent with our formula. 
• Proving a ,s = (^tO* e^iCafs'o) canbe done similarly. 
So now assume that our equation is true for all d = 0, 1, . . . , D with D > 3, and suppose 
r, s > 1 (because we know it is true for r = or s = 0). Since r — 1, s — 1 > and 
the degrees 2?'' + 3s' in the recursion formula from Lemma Q~| are in the interval of the 
induction hypothesis, we get: 

(2r + 3s - l)(4r + 6s - 3) (4r + 6s - 3)(4r + 6s - 5) 

ar ' s " (2r + 3s)(4r + 6s + l) ar ~ M ~ 2(2r + 3s)(4r + 6s + 1) 

(2r + 3s- l)(4r + 6s-3) /-l\ r+;!_1 p / 2r + 2s - 2 



(2r + 3s)(4r + 6s + 1) \ 4 / 4r + 6s — 3\r + s - l,r - l,s 

(4r + 6s-3)(4r + 6s-5) / -lV^^ 1 p / 2r + 2s-2 



2(2r + 3s)(4r + 6s + 1) \ 4 / 4r + 6s - 5\r + s - l,r, s - 1 

which a straight-forward computation shows to be equal to 

-l\ r+s p ( 2r + 2s 



4r + 6s + 1 \r + s, r, s 
This proves the proposition. 

□ 
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Note that we only used d < q when we were dividing by d+ |: we need this not to be a 
multiple of p as to keep the congruence modulo p 2 7L v % true. All the real calculations don't 
use this assumption d < q, so using the proposition we get the following extension: 



Proposition 3.1fr and s are non-negative integers such that 2r + 3s = q, then 

Otr.s € 



-l\ r+s ( 2r + 2s 



r + s.r, s 



Note that the factor p/{Ar + Qs + 1) = p/(2q + 1) = 1 disappeared, and that we 
only have a congruence modulo p1^ p z- Also keep in mind that up until now, we were not 
working in positive characteristic: these formulas say something about the coefficients of 
i/j p (x, A, B) G 1i\x, A, B]. From Proposition [3] we find 

t p {A,B)=p, p{p _ 1) (A,B) = ]T a r , s A r B s 

2r+3s=q v 7 v ' ' 7 

2.3. Step 3: equality of coefficients in the sums. We have proven that 
where J = {j G Z | j = — q (mod 3), < j < \q}, and 

y. {^T'{r r + + e 2 :,s) A ' B - ^ 

2r+3s=q v 7 ' ' / 

Note that the indices in this last sum are all couples (r, s) of non-negative integers such 
that 2r + 3s = q. This condition is equivalent to r and s = |(g — 2r) being non- 
negative integers, i.e., < r |g and r = —q (mod 3). (For these r and s we have 
r + s = 3(9 + r).) It follows that 

Therefore, c p (A, B) = i p (A, B) (mod p) is equivalent to proving 

q \ = (zi\ H9+j) ( §(« + J) \ / , n 

, : ^</ *U§(g -'/V "Ui U(« + iU§(g-2j)>/ 1 PJ 

for all j G J. To prove this, put j + q = 3fc with fc G Z (then |g < fc < ig) and rewrite 
the congruence as 



q \ _ f-l\ k ( 2k 



K q — k,j,q — 2k J \ 4 J \k,j,q — 2k 
This is equivalent to 



(mod p). 



q\ _{-l\ k (2k)\ 



(q-k)\ V 4 / ^ ! 



(mod p). 



8 



CHRISTOPHE DEBRY 



We rewrite the left hand side as follows: 

= q{q- 1) ■••{q-k + 1) = 



(9 - k)\ 

= 2~ k ■ (-l)(-3) • • • (-2k + 1) = (-2)- k l ■ 3 • • • (2k - 1) 

=<-»>-vn*r <-»">. 

which is the desired congruence. This completes the proof of the theorem. 

3. A SPECIAL CURVE 

Let p be a prime congruent to 1 modulo 4 and consider the elliptic curve y 2 = x + x 
over the finite field ¥ p . Write p = 4k + 1 with k 6 N. Then c p (l, 0) is the coefficient at 

= x ik in (a; 3 + x) 2k = x 2k (x 2 + l) 2k , which is clearly ( 2 / , fe ). On the other hand, 



2r+3s=2fe 

Vfe,fc,o/ 



which reduces to £ p ( 1,0) = (^-) fc ( fc 2 ^ ) = (-4)~ fc ( 2k ) (mod p). The theorem states 
that c p (l, 0) = £ p (l, 0) (mod p), which in this case implies that (— 4)~ fc = 1 (mod p). 
Using (— 4) _1 = k (mod p) we get 

Proposition 4. Lef k be a positive integer. If '4k + 1 is prime, then it divides k k — 1. 

Alternative proof. Let p — 4k + 1 be prime. Then 2 is a quadratic residue mod p if and 
only if k is even, so (2/p) = 1 if k is even and (2/p) = — 1 if k is odd. It follows that 

(_!)* = Qf) = 2^ = 2 2k = 4 fc (mod p), 

so k k = (—4k) k = (1 — p) k = 1 (mod p), as desired. □ 
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